Governance and ICT – a pragmatic approach to getting value

1. Introduction
Executives are tasked by government, boards and in some cases by law to exercise the necessary controls over the organization, be it public, private or not for profit. While traditionally the Audit Committee has oversight over the controls that are in place to mitigate risk (particularly in Finance) , often, those controls over ICT are loose and misunderstood. The aim of this chapter is to provide a broad non- technical framework that will enable the Audit Committee and Public Service Executives, specifically tasked with the oversight of risk, to ask the right questions, and not necessarily to be experts in the technology involved.

2. Technology and Organisational Complexity
The use of technology in organisations vary. Consider the difference between a financial services organisation, a not for profit organisation and a manufacturing concern.

It is to be expected that the financial services organisation will operate in a highly regulated environment. Access to its systems and security issues would be high priority. Audit trails of data changes would be mandatory. Perhaps real time business continuity and disaster management would be high on the agenda. The spend on ICT would form a larger part of turnover. Systems are complex and varied. The ICT management team is skilled and specialised.

A medium size, not for profit organisation may have a more simple environment involving donor management and disbursements. A simple accounting infrastructure may be present with perhaps some contact management software for fund raising initiatives. Access and security ,while important, are perhaps less important than that of the financial services organisation. Verification of controls would also be less complex. It may have a small ICT support staff or perhaps be outsourced.

A manufacturer on the other hand could use very complex enterprise resource planning software to plan and manage the organisations supply chain. These may have many modules including a financial transaction layer, procurement, sales, inventory and manufacturing planning and control. Often support here is a combination of highly skilled internal ICT staff and external applications support.

The public service is understandably one of the more complex environments, as it contains elements of a service organisation, procurement, project and contract management, treasury and finance, with a large footprint in both delivery to its constituency, as well as performance management within its own organisation, notwithstanding the political complexities within it operates.

It can be seen from the above that depending on the type of organisation, the complexity of its ICT environment, and its reliance on these systems for survival and daily operation, Audit Committees have different questions to ask. They may also need to have external assistance when verifying that risk is mitigated.

3. The Governance role of the Public Service Executive
We are concerned here with Governance as opposed to Political Governing, which in the case of a public service professional, may be a juggling act. A recommended approach would be to equate the governance role in the same light as the duties commonly ascribed to directors of private and public companies, broadly:
-Take the necessary steps to practice due care in the management of the department , organisation or ministry
-Verify that the steps taken are adequate to achieve the delivery and service objectives, inline with policy, legislation and cost
-The actions taken, when measured against a reasonable man, should stand up in the light of public scrutiny
-Implement continual processes in due diligence, accountability and responsibility
-Implement the appropriate activities to monitor protection mechanisms
-And finally, maintaining the mechanisms put in place

Delivery in public service is often the largest area of concern, with public service professionals almost in a state of paralysis or limbo, waiting for decision to be taken by the government of the day. Alternatively, public servants might hold too much power in the opinion of politicians, thus delaying the implementation of policy if it is in conflict with the public servant’s political affiliations.

A non partisan public service is in truth probably not a reality, but, if the same principals of good governance in company law and responsibilities of directors is applied, by inference, the “right” actions will be taken. One must recognise the symbiotic relationship between the politician and public service staff, and to a large degree the unequal power sharing arrangement in place i.e. the politician should by democratic rights hold more power.

However, there is little reason not to create and implement the optimum mechanisms for delivery to streamline the implementation process, while waiting for decisions to be reached. Politicians come and go, but governments need to have a sense of permanence.

Practical examples of this could be:
-A defined tender and request for quote process that does not need to be redeveloped every time a project is agreed upon.
-A pre qualification process for major projects
-Processes and procedures in place to ensure that delivery is expedited
-Financial governance and control
-Health and pensions systems

The point here is that there is always a framework, business process, pre design, broad scoping exercise, information gathering, some or other pro-active activity etc that can be done while awaiting a government decision (good management needs to take place). Also, there is existing policy that will guide a proactive executive. Waiting and inactivity increases the chance of poor delivery.

4. Role of the Audit Committee in the Public Service
Traditionally Audit Committees remit is focussed around the evaluation of Risk. The question is however whether this will be appropriate in the future or whether the scope needs to be expanded. For example, if the strategic focus is around the effectiveness of services delivery, then the Audit function must be geared to ask the right questions, understand what the outcomes should be, understand the value drivers and make recommendations to improve delivery where it is lacking.

Another area which is often overlooked is non financial audit for example, effective provisioning of the military, effectiveness of government ministers, how good is the public service performance management system, or are public records secure from identity theft?

Often the dilemma is faced whether to play an active or passive role in audit. If the objective is to improve value delivery, drive effectiveness of government, improve performance of public servants, then being a passive reporter is totally inadequate. The future role of the public service audit function as an active participant in public service governance, responsible for playing a value added role in is self evident. The Chairman of the Audit Committee should not lose the opportunity to influence and contribute to the success of the organisation and of government. It may well be that the status of the Chairman of the Audit Committee be elevated to one of the highest and most influential political or public appointments in government. The skills here are in the areas of commercial, financial, program management and corporate governance acumen. Its not a legalistic approach if the intention is to get value delivery.

While it might not always be appropriate to drive standardisation of business processes, the Audit Committee needs to understand the value of a solid baseline of delivery. It’s all about alignment to achieve the objectives. An example of this would be a single, agreed upon, transparent and auditable process for procurement. All public service departments buy, why should it be different?

The role and responsibility of the Audit Committee in the Public Service needs to be redesigned if it is to drive and enable change.

5. Understanding ICT
It is not necessary to have to specialise or be an expert in the detail of the organisations deployed technology in order to ask some sensible questions. Ask any Managing Director of a company with diverse operations if this is true. However, it does make sense that the more complex the environment, the more assistance will be required. Also, the larger the organisation, the more chance there is that you have a Chief Information Officer, Chief Technology Officer , Chief of IT Governance or a combination of the above to provide the necessary ICT input.

What is important is that there is a framework in place to guide the Audit committee to ask the right questions. It may be feasible to develop a tool from scratch, or use one or a combination of the many frameworks or tools for ICT governance that are available to guide the process. It is never a decision about which one is used, although they have different areas of focus which you would need to be aware of, but more about how the tool is used, and what are the objectives being pursued. Remember that ICT is a changing environment, and therefore the tools need to be dynamic as well.

Fortunately, there are many well developed tools that are available, with good support to ensure that the tools are updated and reflect changing trends in ICT. The figure below seeks to position the toolsets /frameworks in an understandable way.

6. COBIT Example
Control Objectives for Information and related Technology (COBIT)[1] is a set of best practices (framework) for information technology (IT) management. Because of its pragmatic framework, it may be used to address Governance, process improvement and most importantly of all, service delivery. Even if public servants just manage each area mentioned below at a high level, i.e. ask the right questions, ensure that mechanisms are in place to rectify shortcomings, and measure results, there may be an immediate improvement in service delivery.

7. Information Systems are part of the solution
Historically when new governments or individuals are placed in power, the knee jerk reaction is to throw out the old and in with the new.

A policy change or new political appointment is not an excuse for doing away with good practice. As an example, a new individual heads up Finance. Nothing changes in the principles of good accounting practice, GAAP, IFRS etc remain the same. Financial prudence and control of risk, fiduciary duty remains the same.

Lets expand this to ICT. What makes ICT good is the existence of sound business practice, well identified business processes, solid measurement and remedial action of outcomes, and most importantly of all, the political and managerial gravitas to enforce compliance and discipline. Here politics must be separated from the responsibility of employees in public service to actually be held accountable for performance.

ICT alone cannot make up for or be the elixir to the absence of good governance.

8. Steps to Excellent Service Delivery
-Don’t get rid of useful things when discarding inessential things (Knee Jerk)
-Complex is not always the answer
-Know what is the most important public requirement and build your outcomes around this.
-Remember that there is balance between a wish list and practical reality
-If it cannot be articulated on paper, and I mean down to the last detail, it cannot be translated into technology, not ever.
-ICT fails because of this “we need a system to do “this”, but what “this” is we’re not sure”
-Kick butt and expect excellent results

[1] Toolsets and frameworks referred to may be trademarks of their respective owners.

Leadership and Governance - missing link?

I find it interesting that there appears to be a disconnect between Leadership and Governance. Board members are responsible for governance or the lack thereof, with the elements of governance being delegated down to total ineffectiveness. In effect, governance is being "managed" with no real accountability by the board.

If you bring leadership into the equation, you will agree that it doesn't fit at all!! So why is this? Surely strong leadership should be the cornerstone of good governance?

Historically, weak and ineffective leadership results in the abuse of power and lack of governance. You can witness this in failing economies and companies going under. So where does leadership extend to? Just the Board? I think not. While it is right that the CEO and directors display and practice good leadership, surely shareholders and stakeholders also carry some responsibility?

In all the times where there has been economic crisis's, where were the shareholders? Its OK to reap the profits while the going is good, but you can't tell me that shareholders are oblivious and naive that they do not suspect dirty dealings, especially with the woppers we have been subjected to recently. Its convenient to look the other way!

Perhaps company law should be rewritten to include shareholders or those who manage indirect shareholders money e.g. pension funds etc, in joint responsibility (and liability) for good governance and therefore corporate failure.

Imagine in the current crisis that instead of the State paying out taxpayers funds to prop up companies fraught with mis-management and poor governance, the shareholders were requested to payback all the dividends earned as a result of these actions.

We would see an exponential improvement in good governance, and an active improvement in good leadership. After all, if you as a shareholder were held jointly responsibile for mismanagement, you'd make damn sure that you have the best leadership in place.

Audit - Time to add value

I should have perhaps titled the article - Audit - What Value? In a recent presentation I did on behalf of the South African Chapter of ISACA (Information Systems Audit and Control Association), as is my provocative bent, I challenged the group to review the value proposition offered by the audit function, not only IT, but all the elements of good governance.

Where there is a legislative framework in place that forces companies to use a service, its inevitable that a certain amount of service ethic falls by the wayside (Why should you when companies are forced to use your services anyway?). This in turn effects value delivery. Given that the current global economy is shaky, the focus on cost and value is now suddenly at the top of the board agenda. If good governance was the order of the day, and boards actively practiced their duty of care, this would already be a way of life!

However, back to the point. The days of an audit firm attaching itself like a bloated leech to
a company at year end, and completing the required audited statements in a detached fashion, without actively contributing to the good governance of the entity, are over.

Shareholders and boards should view this kind of activity and behaviour with circumspection and downright suspicion. After all, you pay a fortune for the service, and for what - to rubber stamp? Why not go to the CA down the road and do the same thing at a fraction of the cost? Better still, force your board to instill good governance at source, it will save you a lot in the long term.

This is not a singling out of auditors in anyway. We should apply the same rigour when selecting any vendor or service provider. We should look for value, we should question the return on investment and we should look to it supporting our strategy and sustainability. Above all, we should look for practical solutions that fit our market and culture. Why should we not expect the same from the audit function?

The challenge is for auditors to look inside of their own organisations and develop a value proposition. Why would I look to you as a valued partner? What makes you different and why shouldn't I use the CA down the road?

Shareholders and boards are well advised to rethink their relationships with their partners, and Auditors are no exception.